Creating a Firewall

A Firewall (FWaaS v2) in Rackspace Cloud provides network-level traffic filtering for your OpenStack environments. It allows you to define firewall rules and policies that control ingress and egress traffic at the router level. Using FWaaS v2, you can permit or deny traffic based on IP address, protocol, and port, helping enforce security boundaries across your project networks. FWaaS integrates directly with OpenStack Neutron and is managed through the Skyline UI for ease of configuration.

❗️

FWaaS is still in Limited Availability and is currently only available in the IAD region. Additional regions will receive this feature in the near future.

Prerequisites

Before you begin configuring FWaaS v2, ensure the following:

• You have access to Rackspace Cloud Skyline UI.
• You have an existing router configured in your project.
• You have at least one network/subnet attached to the router.

If you don't have a router/network/subnet check out our guides on getting those set up:

• Generating a Network via QuickNet
• Creating a Network in OpenStack Flex

NOTE: This guide focuses on using the Skyline UI. FWaaS v2 can also be configured via the OpenStack CLI.

---

1: Navigating to Firewall (FWaaS) Section

To begin configuring FWaaS, navigate to the firewall section in Skyline.

1. Log in to Skyline UI.
2. In the left-hand menu, navigate to Network → Firewalls.
3. Select the Firewall Rules tab.

---

2: Create a Firewall Rule

Firewall rules define how specific traffic is handled. These rules are later grouped into a firewall policy and evaluated in order.

1. Click Create Firewall Rule and provide the following information:

• Name: Enter a descriptive name for the rule.

• Protocol: Select one of the following:

  • TCP – Common for web and application traffic.
  • UDP – Used for services like DNS or streaming.
  • ICMP – Used for ping and network diagnostics.
  • ANY – Applies to all protocols.

• Rule Action:

  • ALLOW – Permits matching traffic.
  • DENY – Silently drops traffic.
  • REJECT – Drops traffic and returns an error response to the sender.

• IP Version: Choose IPv4 or IPv6 depending on your network configuration.

• Source IP Address/Subnet: Define the source in CIDR format (e.g., 192.168.1.0/24). Use 0.0.0.0/0 to match all sources.

• Source Port/Port Range: (Optional) Specify a single port or range (e.g., 80 or 1000-2000).

• Destination IP Address/Subnet: Define the destination in CIDR format.

• Destination Port/Port Range: Specify the destination port or range (e.g., 22, 80, 443).

• Options:

  • Enabled – Activates the rule.
  • Shared – Makes the rule available across projects (if permitted).

• Description: (Optional) Add additional context for the rule.

2. Click Create.

---

3: Create a Firewall Policy

A firewall policy is an ordered collection of firewall rules that will be enforced together.

1. Navigate to the Firewall Policies tab.
2. Click Create Policy.

• Name: Enter a policy name.
• Description: (Optional) Add a description.

3. Click OK
4. On the right-hand column click More and Insert Rule to add rules to the policy.
5. Click the Radial Dot next to the rule(s) you want to add to the policy.
6. Select where the rule will be placed in the section below. the order for you. Order matters as rules are evaluated top-down.

Click OK.

---

4: Create a Firewall Group

Firewall Groups apply a firewall policy to one or more routers.

1. Navigate to the Firewalls tab.
2. Click Create Firewall.

• Name: Enter a name.
• Ingress Policy: Select the policy for incoming traffic.
• Egress Policy: Select the policy for outgoing traffic.
• Ports: Switch to the Router port tab and select one or more routers to apply the firewall to.
• Admin State: Enable or disable the firewall group.
• Description: (Optional) Add a description.

Click Create.

---

5: Verify Firewall Behavior

After applying the firewall group, validate that traffic is being filtered as expected.

• Test allowed traffic (e.g., SSH, HTTP).
• Confirm blocked traffic is denied.
• Review instance connectivity and application behavior.

NOTE: Changes to firewall rules or policies may take a short time to propagate.

---

(Optional) 6: Modify or Reorder Rules

Firewall rules are processed in order. Adjusting rule priority can change behavior.

1. Navigate to Firewall Policies.
2. Select your policy.
3. Reorder rules as needed.
4. Save changes.

NOTE: Rules cannot be edited. They have to be deleted and recreated or replaced.

---

Confirm

Your FWaaS v2 configuration is now active. Traffic flowing through the associated router(s) will be filtered according to your defined firewall rules and policies. Continue monitoring and refining rules to match your application security requirements.